disable downgrade and not enforced rule messages by default

Currently the apparmor parser warns about rules that are not enforced or
downgraded. This is a problem for distros that are not carrying the out of
tree kernel patches, as most profile loads result in warnings.

Change the behavior to not output a message unless a warn flag is passed.
This patch adds 2 different warn flags
  --warn rule-downgraded    	 # warn if a rule is downgraded
  --warn rule-not-enforced	   # warn if a rule is not enforced at all

If the warnings are desired by default the flags can be set in the
parser.conf file.

v2 of patch
- update man page
- add --warn to usage statement
- make --quiet clear warn flags

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

parser/af_unix.cc

@@ -176,6 +176,7 @@ static void warn_once(const char *name, const char *msg)
 
 static void warn_once(const char *name)
 {
+	if (warnflags & WARN_RULE_NOT_ENFORCED)
 		warn_once(name, "extended network unix socket rules not enforced");
 }
 
@@ -321,6 +322,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 		if (kernel_supports_network) {
 			/* only warn if we are building against a kernel
 			 * that requires downgrading */
+			if (warnflags & WARN_RULE_DOWNGRADED)
 				warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
 			/* TODO: add ability to abort instead of downgrade */
 			return RULE_OK;

parser/apparmor_parser.pod

@@ -239,6 +239,16 @@ Do not report on the profiles as they are loaded, and not show warnings.
 
 Report on the profiles as they are loaded, and show warnings.
 
+=item --warn=n
+
+Enable various warnings during policy compilation. A single dump flag
+can be specified per --warn option, but the --warn flag can be passed
+multiple times.
+
+  apparmor_parser --warn=rules-not-enforced ...
+
+Use --help=warn to see a full list of which warn flags are supported.
+
 =item -d, --debug
 
 Given once, only checks the profiles to ensure syntactic correctness.

parser/dbus.cc

@@ -194,7 +194,7 @@ static void warn_once(const char *name)
 {
 	static const char *warned_name = NULL;
 
-	if (warned_name != name) {
+	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
 		cerr << "Warning from profile " << name << " (";
 		if (current_filename)
 			cerr << current_filename;

parser/mount.cc

@@ -558,7 +558,7 @@ static void warn_once(const char *name)
 {
 	static const char *warned_name = NULL;
 
-	if (warned_name != name) {
+	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
 		cerr << "Warning from profile " << name << " (";
 		if (current_filename)
 			cerr << current_filename;

parser/parser.h

@@ -47,6 +47,13 @@ class rule_t;
  */
 extern int parser_token;
 
+
+#define WARN_RULE_NOT_ENFORCED	1
+#define WARN_RULE_DOWNGRADED	2
+
+extern dfaflags_t warnflags;
+
+
 typedef enum pattern_t pattern_t;
 
 struct prefixes {

parser/parser_common.c

@@ -80,6 +80,7 @@ int current_lineno = 1;
 int option = OPTION_ADD;
 
 dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_DIFF_ENCODE);
+dfaflags_t warnflags = 0;
 
 char *subdomainbase = NULL;
 const char *progname = __FILE__;

parser/parser_interface.c

@@ -442,7 +442,7 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 			sd_write_uint16(buf, profile->net.deny[i] & profile->net.quiet[i]);
 		}
 		sd_write_arrayend(buf);
-	} else if (profile->net.allow)
+	} else if (profile->net.allow && (warnflags & WARN_RULE_NOT_ENFORCED))
 		pwarn(_("profile %s network rules not enforced\n"), profile->name);
 
 	if (profile->policy.dfa) {

parser/parser_main.c

@@ -127,6 +127,7 @@ struct option long_options[] = {
 	{"preprocess",		0, 0, 'p'},
 	{"abort-on-error",	0, 0, 132},	/* no short option */
 	{"skip-bad-cache-rebuild",	0, 0, 133},	/* no short option */
+	{"warn",		1, 0, 134},	/* no short option */
 	{NULL, 0, 0, 0},
 };
 
@@ -178,9 +179,25 @@ static void display_usage(const char *command)
 	       "-h [cmd], --help[=cmd]  Display this text or info about cmd\n"
 	       "--abort-on-error	Abort processing of profiles on first error\n"
 	       "--skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel\n"
+	       "--warn n		Enable warnings (see --help=warn)\n"
 	       ,command);
 }
 
+optflag_table_t warnflag_table[] = {
+	{ 0, "rule-not-enforced", "warn if a rule is not enforced", WARN_RULE_NOT_ENFORCED },
+	{ 0, "rule-downgraded", "warn if a rule is downgraded to a lesser but still enforcing rule", WARN_RULE_DOWNGRADED },
+	{ 0, NULL, NULL, 0 },
+};
+
+void display_warn(const char *command)
+{
+	display_version();
+	printf("\n%s: --warn [Option]\n\n"
+	       "Options:\n"
+	       "--------\n"
+	       ,command);
+	print_flag_table(warnflag_table);
+}
 
 /* Treat conf file like options passed on command line
  */
@@ -285,6 +302,8 @@ static int process_arg(int c, char *optarg)
 			   strcmp(optarg, "optimize") == 0 ||
 			   strcmp(optarg, "O") == 0) {
 			display_optimize(progname);
+		} else if (strcmp(optarg, "warn") == 0) {
+			display_warn(progname);
 		} else {
 			PERROR("%s: Invalid --help option %s\n",
 			       progname, optarg);
@@ -384,6 +403,7 @@ static int process_arg(int c, char *optarg)
 	case 'q':
 		conf_verbose = 0;
 		conf_quiet = 1;
+		warnflags = 0;
 		break;
 	case 'v':
 		conf_verbose = 1;
@@ -435,6 +455,14 @@ static int process_arg(int c, char *optarg)
 		preprocess_only = 1;
 		skip_mode_force = 1;
 		break;
+	case 134:
+		if (!handle_flag_table(warnflag_table, optarg,
+				       &warnflags)) {
+			PERROR("%s: Invalid --warn option %s\n",
+			       progname, optarg);
+			exit(1);
+		}
+		break;
 	default:
 		display_usage(progname);
 		exit(1);

parser/ptrace.cc

@@ -105,7 +105,7 @@ static void warn_once(const char *name)
 {
 	static const char *warned_name = NULL;
 
-	if (warned_name != name) {
+	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
 		cerr << "Warning from profile " << name << " (";
 		if (current_filename)
 			cerr << current_filename;

parser/signal.cc

@@ -241,7 +241,7 @@ static void warn_once(const char *name)
 {
 	static const char *warned_name = NULL;
 
-	if (warned_name != name) {
+	if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) {
 		cerr << "Warning from profile " << name << " (";
 		if (current_filename)
 			cerr << current_filename;